Azure ARC Related Persistence Detection
Nf Ttp T1543 Peach Sandstorm Azure Arc Persistence
Query
// Unexpected installation of azure arc agent - service installation
let ServiceNames = datatable(name:string)["himds.exe","gc_arc_service.exe","gc_extension_service.exe"];
DeviceEvents
| where ActionType =~ "ServiceInstalled"
| extend ServiceName = tostring(parse_json(AdditionalFields).ServiceName)
| extend ServiceAccount = tostring(parse_json(AdditionalFields).ServiceAccount)
| extend ServiceStartType = tostring(parse_json(AdditionalFields).ServiceStartType)
| extend ServiceType = tostring(parse_json(AdditionalFields).ServiceType)
| where ServiceName has_any (ServiceNames)About this query
Explanation
This query is designed to detect unauthorized installations of Azure ARC agents, which could be used by attackers to maintain persistent access to compromised systems. It consists of two parts:
-
Service Installation Detection: This part of the query looks for the installation of specific services associated with Azure ARC agents. It checks for service installation events and filters them by specific service names (
himds.exe,gc_arc_service.exe,gc_extension_service.exe). If any of these services are installed, it could indicate an unauthorized installation of an Azure ARC agent. -
File Path Creation Detection: This part of the query monitors for the creation of specific file paths related to Azure ARC agents. It looks for file creation events and checks if the file paths match known paths used by Azure ARC agents (
\\AzureConnectedMachineAgent\\GCArcService\\GC). The presence of these file paths could also indicate an unauthorized installation.
Overall, the query helps identify potential security risks by detecting unexpected installations of Azure ARC agents, which could be used by attackers to maintain control over a network.
